Critical severityOSV Advisory· Published Jan 20, 2026· Updated Jan 21, 2026
CVE-2025-65482
CVE-2025-65482
Description
An XML External Entity (XXE) vulnerability in opensagres XDocReport v0.9.2 to v2.0.3 allows attackers to execute arbitrary code via uploading a crafted .docx file.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
fr.opensagres.xdocreport:fr.opensagres.xdocreport.documentMaven | >= 0.9.2, < 2.0.4 | 2.0.4 |
Affected products
1- Range: xdocreport-parent-1.0.5, xdocreport-parent-1.0.6, xdocreport-parent-2.0.0, …
Patches
1d9b90ae6c948fix XXE security issue (#547)
1 file changed · +4 −0
document/fr.opensagres.xdocreport.document/src/main/java/fr/opensagres/xdocreport/document/preprocessor/sax/SAXXDocPreprocessor.java+4 −0 modified@@ -56,6 +56,10 @@ public boolean preprocess( String entryName, InputStream reader, Writer writer, try { XMLReader xmlReader = XMLReaderFactory.createXMLReader(); + //To avoid xxe security issue + xmlReader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false); + xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); BufferedDocumentContentHandler<?> contentHandler = createBufferedDocumentContentHandler( entryName, fieldsMetadata, formatter, sharedContext ); xmlReader.setContentHandler( contentHandler );
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-7jc7-g598-2p64ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-65482ghsaADVISORY
- drive.google.com/drive/folders/1hUyCznpBN7ivo5krmyJ4OQc_q626Hy5qghsaWEB
- github.com/opensagres/xdocreport/commit/d9b90ae6c9489dc43f6427ec7b315cab34125332ghsaWEB
- hackmd.io/@cuongnh/r1B7B8fJ-gghsaWEB
- hackmd.io/@cuongnh/rkJPCgSy-lghsaWEB
News mentions
0No linked articles in our index yet.